Sigma rule conversion

[thekarannayak]

Hello,

I would like to convert the list of sigma rules that I have, to CrowdStrike detection query and Exabeam DL detection query.... is this currently supported?

[thomaspatzke]

For CrowdStrike there's a pySigma processing pipeline that converts the field namings, rewrites some values etc. to the CrowdStrike data schema. The Splunk backend then converts into a Splunk query. With Sigma CLI this can be done with:

sigma convert -p crowdstrike -t splunk <sigma rule dir or files>

There's no backend for Exabeam, also not for legacy sigmac.

[thomaspatzke]

Yes, just use the Elasticsearch backend. It's the Lucene backend. I don't know Exabeam but you likely need some rule transformation with pySigma processing pipelines to map field names and possibly others.

[thekarannayak]

Cool, thanks for your help!

[thekarannayak]

\sigma\cli\convert.py", line 114, in <listcomp>
    if not (pipelines[p].backends == () or target in pipelines[p].backends)
KeyError: 'crowdstrike'

I am getting above error when trying to use the sigma cli command that you shared, upon some digging it seems like there is no pipeline for keyword crowdstrike

>sigma list pipelines
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+
| Identifier                 | Priority | Processing Pipeline                                                              | Backends                  |
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+
| sysmon                     | 10       | Generic Log Sources to Sysmon Transformation                                     | all                       |
| crowdstrike_fdr            | 10       | Generic Log Sources to CrowdStrike Falcon Data Replicator (FDR) Transformation   | all                       |
| splunk_windows             | 20       | Splunk Windows log source conditions                                             | splunk                    |
| splunk_sysmon_acceleration | 25       | Splunk Windows Sysmon search acceleration keywords                               | splunk                    |
| splunk_cim                 | 20       | Splunk CIM Data Model Mapping                                                    | splunk                    |
| ecs_windows                | 20       | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat from version 7  | elasticsearch, opensearch |
| ecs_windows_old            | 20       | Elastic Common Schema (ECS) Windows log mappings from Winlogbeat up to version 6 | elasticsearch, opensearch |
| ecs_zeek_beats             | 20       | Elastic Common Schema (ECS) for Zeek using filebeat >= 7.6.1                     | elasticsearch, opensearch |
| ecs_zeek_corelight         | 20       | Elastic Common Schema (ECS) mapping from Corelight                               | elasticsearch, opensearch |
| zeek                       | 20       | Zeek raw JSON field naming                                                       | all                       |
| windows                    | 10       | Generic Log Sources to Windows Transformation                                    | all                       |
+----------------------------+----------+----------------------------------------------------------------------------------+---------------------------+

Above is the list of pipelines supported, hence instead of crowdstrike I need to use crowdstrike_fdr

Is this correct?

[thomaspatzke]

Exactly! Please note that this is the raw format from Falcon Data Replicator logs. The field naming varies a bit to the builtin Splunk (e.g. _decimal suffixes for some field names), but this shouldn't matter for the Sigma rules.

[thekarannayak]

Sounds good, thanks for your comment!